Spain Spied on Moroccan Officials’ Computers Between 2007-2014

Tarik El Barakah is a journalist and Morocco World News correspondent in Rabat.

Feb 17, 2015

Rabat – A former Spanish spy has revealed that a large number of Moroccan personalities were being monitored by the Spanish intelligence agencies.

David R. Vidal, a former North Africa-based contributor with Spain’s National Intelligence Center (CNI), told Spanish daily El Mundo that he was given orders in 2005 to develop a Trojan horse virus for intercepting phone calls and mobile phone data of “people of interest” in Morocco.

Vidal, who now runs a consultancy firm called Global Chase, said that the Trojan horse virus known as “the Mask” (aka Careto) allowed the Spanish secret services to infiltrate phones and computers of several personalities in the Moroccan administration.

Initially developed to help in the effort of monitoring illegal immigrants, Careto, dubbed by El Mundo as a Trojan horse whose codes were written in a very pure-blooded Spanish, was gradually extended to the surveillance of some Moroccan key figures, including high ranking officials of the Police apparatus and even Ministers.

Between 2007 until early 2014, Careto infected around 383 IP computer addresses that belong to the Moroccan administration, as well as mobile phones, noted the source, adding that Brazilian institutions have also suffered similar treatment.

In 2014, Kaspersky Lab, an international group which specializes in software security, was able to uncover Careto. The Russian company described the virus as “one of the most advanced global cyber-espionage operations to date due to the complexity of the toolset used by the attackers.”

Kaspersky security research team said that Careto has been involved in cyber-espionage operations since at least 2007 and that the victims of this targeted attack have been found in 31 countries around the world, from the Middle East and Europe to Africa and the Americas.

The Russian company also noted that the very high degree of professionalism in the operational procedures of the group behind Careto is among several reasons that “make us believe that this could be a part of a nation-state sponsored campaign.”

“The main objective of the attackers is to gather sensitive data from the infected systems. These include office documents, but also various encryption keys, VPN configurations, SSH keys (serving as a means of identifying a user to an SSH server) and RDP files (used by the Remote Desktop Client to automatically open a connection to the reserved computer),” Kaspersky said.

The group also said that the authors of the Trojan horse appear to be native in the Spanish language, adding that besides Morocco, infections have been observed in Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.